From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Sat, 19 Sep 1998 21:44:54 +0800
To: cypherpunks@cyberpass.net
Subject: IP: Hackers-turned-consultants see business boom
Message-ID: <199809200247.TAA12056@netcom13.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain




From: believer@telepath.com
Subject: IP: Hackers-turned-consultants see business boom
Date: Sat, 19 Sep 1998 11:53:29 -0500
To: believer@telepath.com

Source:  Fox News - AP

On guard now, hackers-turned-consultants see business boom
 11.00 a.m. ET (1501 GMT) September 19, 1998

 By Chris Allbritton, Associated Press

 NEW YORK (AP) - The hacker calling himself Mudge pushed his long hair
back, scratched his beard and stared at the computer screen. He knew there
was something wrong with the data traffic he was watching, but what was it? 

 A week earlier, Mudge and his fellow hackers in their hangout known as the
L0pht - pronounced "loft'' - had acquired some software that was supposed
to let computers talk to each other in code. But as Mudge watched the data
he realized someone else was doing the same and maybe even decoding it,
which shouldn't happen. 

 "So you are saying that you're using DES to communicate between the
computers?'' Mudge recalled asking representatives of the software maker.
Yes, they said, they were using DES, a standard encryption method that for
years was considered virtually uncrackable. 

 But this wasn't DES, thought Mudge. It's almost as if... 

 Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at
all. In fact, the encoding was only slightly more complex than the simple
cyphers kids did in grade school - where "A'' is set to 1, "B'' is set to
2, and so on. 

 The company was selling this software as a secure product, charging
customers up to $10,000. And yet, it had a security hole big enough to
waltz through. 

 Instead of exploiting this knowledge, Mudge confronted the company. 

 "You realize there isn't any secure or 'strong' encoding being used in
your communications between the computers, don't you?'' he asked. 

 "Well...'' 

 "And that you claimed you were using DES to encrypt the data,'' he pressed. 

 "That will go in the next revision.'' 

 Mudge is a "real'' hacker - one who used to snoop around the nation's
electronic infrastructure for the sheer love of knowing how it worked. His
kind today are sighted about as often as the timberwolf, and society has
attached to them the same level of legend. 

 Like the wolf, they were once considered a scourge. Law enforcement and
telecommunication companies investigated and arrested many of them during
the late 1980s and early '90s. 

 Today, many elite hackers of the past are making a go at legitimate work,
getting paid big bucks by Fortune 500 companies to explore computer
networks and find the weak spots. 

 And none too soon. The void left by the old hackers has been filled by a
new, more destructive generation. 

 So today, Mudge - who uses a pseudonym like others in the hacker
community, a world where anonymity keeps you out of trouble - wears a white
hat. As part of L0pht, the hacker think tank, he and six comrades hole up
in a South End loft space in Boston and spend their evenings peeling open
software and computer networks to see how they work. 

 When they find vulnerabilities in supposedly secure systems, they publish
their findings on the World Wide Web in hopes of embarrassing the companies
into fixing the problems. A recent example: They posted notice via the
Internet of a problem that makes Lotus Notes vulnerable to malicious hackers. 

 A Lotus spokesman said the company was aware of the flaw but it was
extremely technical and unlikely to affect anyone. 

 The hackers at L0pht have made enemies among industry people, but they
command respect. They were even called to testify before the U.S. Senate
Committee on Governmental Affairs in May. 

 Why do they publish what they find? 

 "If that information doesn't get out,'' Mudge replies, "then only the bad
guys will have it.'' 

 The "bad guys'' are the hacker cliche: secretive teen-age boys lurking
online, stealing credit card numbers, breaking into Pentagon systems, and
generally causing trouble. One of L0pht's members, Kingpin, was just such a
cad when he was younger, extending his online shenanigans to real-world
breaking and entering. Today, L0pht keeps him out of mischief, he said. 

 "We're like midnight basketball for hackers,'' said Weld Pond, another
member. 

 Malicious hacking seems to be on the rise. 

 Nearly two out of three companies reported unauthorized use of their
computer systems in the past year, according to a study by the Computer
Security Institute and the FBI. Another study, from Software AG Americas,
said 7 percent of companies reported a "very serious'' security breach, and
an additional 16 percent reported "worrisome'' breaches. However, 72
percent said the intrusions were relatively minor with no damage. 

 American companies spent almost $6.3 billion on computer security last
year, according to research firm DataQuest. The market is expected to grow
to $13 billion by 2000. 

 Government computers are vulnerable, too. The Defense Department suffered
almost 250,000 hacks in 1995, the General Accounting Office reported. Most
were detected only long after the attack. 

 This is why business booms for good-guy hackers. 

 Jeff Moss, a security expert with Secure Computing Inc., runs a
$995-a-ticket professional conference for network administrators, where
hackers-cum-consultants mingle with military brass and CEOs. 

 "I don't feel like a sellout,'' said Moss, who wouldn't elaborate on his
hacking background. "People used to do this because they were really into
it. Now you can be into it and be paid.'' 

 News reports show why such services are needed: 

 - Earlier this month, hackers struck the Web site of The New York Times,
forcing the company to shutter it for hours. Spokeswoman Nancy Nielsen said
the break-in was being treated as a crime, not a prank. The FBI's computer
crime unit was investigating. 

 - This spring, two California teen-agers were arrested for trying to hack
the Pentagon's computers. Israeli teen Ehud Tenebaum, a k a "The
Analyzer,'' said he mentored the two on how to do it. The two Cloverdale,
Calif., youths pleaded guilty in late July and were placed on probation. 

 - Kevin Mitnick, the only hacker to make the FBI's Ten Most Wanted list,
was arrested in 1995, accused of stealing 20,000 credit card numbers. He
remains in prison. A film called "TakeDown,'' about the electronic
sleuthing that led to Mitnick's capture, is in the works. Comments
protesting Mitnick's prosecution were left during the hack of the New York
Times Web site. 

 - In 1994, Vladimir Levin, a graduate of St. Petersburg Tekhnologichesky
University, allegedly masterminded a Russian hacker gang and stole $10
million from Citibank computers. A year later, he was arrested by Interpol
at Heathrow airport in London. 

 "Lemme tell ya,'' growled Mark Abene one night over Japanese steak
skewers. "Kids these days, they got no respect for their elders.'' 

 Abene, known among fellow hackers as Phiber Optik, should know. He was one
of those no-account kids in the 1980s when he discovered telephones and
computers. For almost 10 years, he wandered freely through the nation's
telephone computer systems and, oh, the things he did and saw. 

 Celebrities' credit reports were his for the taking. Unlimited free phone
calls from pilfered long-distance calling card numbers. Private phone lines
for his buddies, not listed anywhere. And the arcane knowledge of trunk
lines, switches, the entire glory of the network that connected New York
City to the rest of the world. 

 But Abene's ticket to ride was canceled in January 1994, when, at age 22,
he entered Pennsylvania's Schuylkill Prison to begin serving a
year-and-a-day sentence for computer trespassing. The FBI and the Secret
Service described him as a menace. The sentencing judge said Abene, as a
spokesman for the hacking community, would be made an example. 

                  (c) 1998 Associated Press. All rights reserved.
-----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
-----------------------




**********************************************
To subscribe or unsubscribe, email:
     majordomo@majordomo.pobox.com
with the message:
     (un)subscribe ignition-point email@address
**********************************************
www.telepath.com/believer
**********************************************